- From: François Légaré <flegare@gmail.com>
- Date: Fri, 14 Aug 2015 21:42:04 -0400
- To: Brad Hill <hillbrad@fb.com>
- Cc: Nick Doty <npdoty@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
- Message-ID: <CAGhQHriJDj91JhURXUuQzqpMx+ABshw9h6rSC9XEW3ukcJ5YBA@mail.gmail.com>
Hi Brad, Do you want me to post the suggestion there or you will do it? Regards, Francois On Fri, Aug 14, 2015 at 1:10 PM, Brad Hill <hillbrad@fb.com> wrote: > François, > > I've definitely heard and have some interest of my own in similar > functionality for different use cases like making sure that advertisements > cannot make lasting changes to the browser state. This is another > interesting use case. > > Can please raise it over on the WebAppSec list? > > public-webappsec@w3.org > > Thanks! > > Brad Hill > Co-chair, WebAppSec WG > > From: Nick Doty > Date: Thursday, August 13, 2015 at 1:56 PM > To: François Légaré > Cc: "public-privacy (W3C mailing list)" > Subject: Re: Suggestion for sensitive online content > Resent-From: <public-privacy@w3.org> > Resent-Date: Thu, 13 Aug 2015 20:56:12 +0000 > > Hi François, > > That's an interesting privacy problem and proposal. (I've changed the > subject line, because I believe you're primarily talking about sensitive > content, rather than sensible content.) > > Work has begun recently in the WebAppSec group on a mechanism (HTTP > response header) for sites to clear all local content (like cookies and > localStorage) for their origin, as a security and privacy measure: > http://www.w3.org/TR/clear-site-data/ > <https://urldefense.proofpoint.com/v1/url?u=http://www.w3.org/TR/clear-site-data/&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=HU3cThGizwgsko8%2BWBMXZg%3D%3D%0A&m=BqHHzeeQlJjSH8M%2FVZ2i2W4N%2BgJhjW2yFAyTWC3qmeY%3D%0A&s=da5b23ec2320fecad80eae7153e31be8620af5562ea272f3e615c98d811211f8> > > I'm not sure they're specifically considering the use case of wanting to > clear browser history for a potentially sensitive website, but it sounds > not dissimilar from their set of goals, so it would be worth considering. > > The other existing technology that could be used would be declarative > mechanisms for content selection, like PICS (deprecated) and POWDER: > http://www.w3.org/2007/powder/ > <https://urldefense.proofpoint.com/v1/url?u=http://www.w3.org/2007/powder/&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=HU3cThGizwgsko8%2BWBMXZg%3D%3D%0A&m=BqHHzeeQlJjSH8M%2FVZ2i2W4N%2BgJhjW2yFAyTWC3qmeY%3D%0A&s=e1a56ab863bd5310a0b83f711f5b11a88c333f20c6fdea1e51d4c9ea01ec2d87> > > That would be an existing mechanism to declare a value like, > "sensitive-anonymous", which supporting user agents could interpret as a > sign that they should use private browsing mode (no local cache). > > It sounds like the site you're working with would be willing to spend the > minor resources to implement this kind of flag. We would need to check > whether prominent browser vendors are interested in implementing the > client-side version. > > Hope this helps, > Nick > > On Aug 12, 2015, at 10:42 AM, François Légaré <flegare@gmail.com> wrote: > > Hi > > I work for a big telecom company in Canada that currently give various > sponsorship for mental health organisations. Part of the sponsorship is > making sites and mobile applications to help individual get online help and > access information and resources that are often sensible. > > One example is http://www.kidshelpphone.ca/ > <https://urldefense.proofpoint.com/v1/url?u=http://www.kidshelpphone.ca/&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=HU3cThGizwgsko8%2BWBMXZg%3D%3D%0A&m=BqHHzeeQlJjSH8M%2FVZ2i2W4N%2BgJhjW2yFAyTWC3qmeY%3D%0A&s=fd622e7d1f8405aac1bf7aa1d8e74fca02146d4ba5efb0cd6cbba7a77464c672> they > provide anonymous phone line for kids that may have issue or problem in > their family. This lead to a sensitive problem, a kid visiting this site > need to know how to clean browsing history since a adult seeing the > browsing history might challenge the kids about the visit and lead to more > stress or bigger problems. They did explain on the site header how to flush > history and train visitor about the anonymous tab, this isn't perfect at > all, because it really entirely on the user actions and the assumption that > he read and understood the section. > > Since not all internet user are tech savvy and are aware of the anonymous > tabs, so my suggestion for the W3C would be the following: > > A head meta tag that could help define sensitivity level of the online > html content. This tag once detected by the browser could apply various > policy to increase anonymity and reduce potential problems, ideally default > policies would implicitly insure higher privacy for the end users. > > For instance browser that detect the meta tag could automatically go in > "anonymous mode" and don't track browsing history, remove cached content, > etc. This will insure a more anonymous browsing experience for such site > for users that are less aware of the already available privacy features. > Content rating meta tag to some extends could be used but this is a bit > far fetch but could be less involving since tags already exist. > > Of course I'm quite sure, site with adult content would also be like such > features but this is not really the issue I'm trying to resolve at this > point. > > According to some of the W3C members this is a valid place to submit this > suggestion, I hope this will be well received. > > Regards, > > Francois > > >
Received on Saturday, 15 August 2015 01:43:12 UTC